Just a tiny fraction of cryptocurrency transactions are related to criminal activity, but they are still a critical mechanism for payment associated with crimes that range from human and drug trafficking to terrorism and ransomware. Cryptocurrency transactions associated with criminal activity accounted for about US$10B in 2020, including $2.6B lost by consumers in cryptocurrency-related scams. Following the money as a primary investigative tool necessitates tracking cryptocurrency movements, which requires new tools and techniques.
The power to detect, interrupt, and neutralize criminal activity by tracking cryptocurrency movements has proven to be a critical capability for law enforcement, as highlighted by recent high-profile successes:
- In June 2021, the US Department of Justice seized US$2.3M in cryptocurrency, recovering in just under a month the payment made to cyber criminals who attacked Colonial Pipeline with ransomware.
- In August 2021, the Victoria, Australia Police seized a record AU$8.5M (approximately US$6.2M) linked to drug trafficking on the dark web.
Still, tracking the movements of cryptocurrency remains complex, particularly when multiple hops across many jurisdictions obscure the path from one wallet to another. Law enforcement agencies (LEAs) and others investigating such transactions commonly cannot proceed beyond the first or second hop, hampering intelligence gathering. Meanwhile, the scope of interest in tracking cryptocurrency transactions is expanding beyond traditional law-enforcement usages.
Mitigating the Complexities of Tracking Cryptocurrency Transactions
While cryptocurrencies such as Bitcoin, Ethereum, Litecoin, and others were explicitly designed for privacy, beyond the reach of governments, transactions paradoxically occur for the most part over open platforms and are recorded in public ledgers. That reality means that, as cryptocurrency moves in a series of machine-to-machine interactions, it creates a ledger with a digital footprint that can be recognized and gathered as evidence. Most cryptocurrency transactions can be freely monitored; the intelligence-gathering challenge lies in identifying transactions of interest as well as the attribution to these transactions.
Indicators that a transaction may require investigation may be as simple as a transaction endpoint in a prohibited geography or within a specific known area of the dark web. They may also be as complex as multi-dimensional relationships between events or subtle anomalies in data movement that are detected using advanced analytics. Once a transaction is identified as having investigative value, its path must be reassembled from across multiple systems, including information such as the IP address, timestamp, and geographical location for the transaction’s origination and termination points, as well as each intermediate hop.
Identifying cryptocurrency transactions of interest to LEA investigators has similarities to anomaly-detection practices used in cybersecurity threat hunting. For example, machine-learning models can be trained to recognize typical transaction activity within cryptocurrency markets, as well as aberrations from those norms that indicate transactions of interest. Measures such as correlation of contextualized events and pattern analysis within monitored machine-to-machine traffic can be configured to listen for and draw attention to potentially illicit transactions. Patterns can be identified and refined to inform machine-learning detection of specific criminal activities, such as money laundering, financial terrorism, drug dealing, extortion, and others. Those analytics provide the ability to draw meaning from an otherwise-overwhelmingly vast body of transaction data so that LEAs and others can make use of it.
Illuminating cryptocurrency-related activities depends as much on visibility into end-to-end transactions as it does on drawing conclusions on the basis of that information. SS8 lawful intelligence platforms make it possible to trace transaction data paths while also making that data available and easy to consume within monitoring tools. This traceability enables LEAs to perform targeted queries, visualizations, and other analyses on the data to help build cases. The manual investigative work must occur in tandem with automated processes such as crypto detection within a particular investigative case.
Detecting Unauthorized Crypto-Mining
Cyberattacks that illicitly install crypto-mining malware that siphon off compute power from victims continue to be profitable for perpetrators, creating an ongoing threat to IT organizations of all types and sizes. Such so-called “crypto-jacking” attacks cost data center operators money by elevating power usage and causing system wear that could shorten the lifespan of computing equipment. Insider threats may also exist, where a malicious systems administrator, for example, could surreptitiously install crypto-mining software on client or server systems for personal profit. Some jurisdictions also prohibit crypto-mining because of environmental concerns related to the practice’s massive energy consumption. In all these examples, every cryptocurrency transaction represents a matter of concern in its own right, independent of association with other activities.
Identifying network packets associated with unauthorized crypto-mining operations is a straightforward usage for SS8 platforms. Continuing enablement of SS8 extraction tools provides visibility into enterprise and other traffic flows associated with cryptocurrency transactions, including information such as the transaction endpoints, intermediate hops, IP addresses, and geographic details. This set of capabilities draws on SS8’s more than two decades of work capturing hidden insights from communication data.
SS8 is working with the broader ecosystem of solution providers to make this information broadly available within enterprise IT Operations workflows, complementing observability, event management, and cybersecurity tools and functions. Usability plays a fundamental role in this enablement, helping make capabilities such as creating automated monitoring frameworks accessible to first-line operators, accelerating adoption and time to value. These efforts also include working toward solutions for tracking cryptocurrency across multiple international and regional jurisdictions and regulatory frameworks, reflecting the truly global nature of these transactions.
SS8 extends cryptocurrency-related analysis and visualization capabilities across every topology that the platforms have access to, including internal enterprise networks as well as public telecommunications infrastructure. As the share of global finance represented by cryptocurrency continues to grow, the ability to detect and understand transactions will become increasingly important.
To learn more about a powerful digital communications analysis solution, visit the SS8 website.
About Dr. Cemal Dikmen
As SS8’s CTO, Cemal plays an integral role in the company’s strategic direction, development, and future growth. A renowned expert and thought leader in the legal compliance and communications analysis domain, he has been a frequent speaker at various industry conferences over the past 10 years. Cemal holds BS, MS, and PhD degrees in Electrical Engineering. You can learn more about Cemal on his LinkedIn profile by clicking here.
About SS8 Networks
SS8 provides Lawful Intelligence platforms. They work closely with leading intelligence agencies, communication providers, law enforcement agencies and standards bodies and their technology incorporates the methodologies discussed in this blog. Xcipio® is already proven to meet the very high demands of 5G and provides the ability to transcode (convert) between lawful intercept handover versions and standard families. Intellego® XT natively supports ETSI, 3GPP and CALEA handovers, as well as national variants. Intellego XT’s MetaHub component is a best-in-class data analytics tool. Both product portfolios are used worldwide for the capture, analysis and delivery of data for the purposes of criminal investigations.
